You can clone with
HTTPS or Subversion.
Social Stream is not compatible with default mass attributes protection shipped with Rails 3.2.3
Developers of Rails > 3.2.3 applications must setconfig.active_record.whitelist_attributes = false in config/application.rb
config.active_record.whitelist_attributes = false
This needs to be fixed in the mid-term. However, there was some discussion whatever these restrictions should be declared in the controller. So we will probably wait until see the final solution included in Rails 4
So I'm leaning towards using social_stream for an application I'm building but I'm worried about the security implications of this issue.
Is a fix as simple as me going through the code base and adding attr_accessible lines with a script some how or is it a lot more complicated than that.
I guess my question is 2 fold.
1) how big a security issue is it? Could people potentially post as other people or stuff like that?
2) how much work do you think it is and how specific? Would it take a lot of specific knowledge or is it just tedious?
I'll volunteer if its easy and its just been put off because its tedious :)
Hi @williscool, thank you for your offering
I guess the way to go in Rails 4 is protecting then in the controller, using the functionality of this plugin: https://github.com/rails/strong_parameters
I would be awesome to have this fix in Social Stream. I think it is potencially very harmful, up to the point you mention or beyond. The work is just tedious, watching for the parameters that are send in each request and adding them to the controller.
So I just got my social_steam app working. I got stuck for while because I ran into this.
Rails issue but I got it resolved with the monkey patch there.
I'm gonna focus on updating the gem dependenices to work with my app and then I'll circle back around for this
Also leaving this for reference. I like aspects of ryan's solution
@williscool any advance on this?
Not yet. Been swamped recently and hadn't had time to come back to this yet.
Ok, no problem. @rafaelgg and @raquelgb are taking on it, since it is a serious issue that needs to be solved
Ok good news. Let me know about progress. I'm most interested in this and the twitter bootstrap update
Social Stream now uses https://github.com/rails/strong_parameters